- Type:
- Trojan
- Infection Length:
- 1,119,612 bytes
Android.Gonfu.B is a Trojan horse that steals information from Android devices.
Android package file
The Trojan may arrive as the following .apk file:
Package name: lockgallery_2.2.apk
Permissions
When the APK is being installed, it requests permissions:
Installation
The threat contains the following malicious class files inside classes.dex:
When the APK is executed, it registers UpdateCheck.class as a service, which loads the following native Android file used to carry out further actions:
libadv3.so
It then attempts to gain super user privileges. If it is unsuccessful, the Trojan will exit.
The Trojan also sets the following system property to 0, so that only one instance of the threat runs at a time:
r0.bot.run
The Trojan then drops the following file and then executes it:
/data/data/com.catsw.lockgallery/.e[RANDOM NUMBER]d
It then overwrites the following files with copies of itself:
The Trojan modifies the following file in order to launch itself at startup:
/system/bin/svc
It also modifies the following file with configuration information:
/system/build.prop
It then copies itself to the following file, which attempts to prevent the Trojan from being removed from the device:
/system/lib/libd1.so
Remote Access
The Trojan connects to the following command-and-control servers, where it can receive additional commands:
The Trojan may arrive as the following .apk file:
Package name: lockgallery_2.2.apk
Permissions
When the APK is being installed, it requests permissions:
- Write to external storage devices.
- Gather information about recently running tasks.
- Open network connections.
- Allow access to low-level system logs.
- Make the phone vibrate.
- Access information about networks.
- Monitor, modify, or end outgoing calls.
- Check the phone's current state.
- Prevent processor from sleeping or screen from dimming.
- End all background processes associated with the package.
Installation
The threat contains the following malicious class files inside classes.dex:
- UpdateCheck.class
- UpdateCheck$1.class
When the APK is executed, it registers UpdateCheck.class as a service, which loads the following native Android file used to carry out further actions:
libadv3.so
It then attempts to gain super user privileges. If it is unsuccessful, the Trojan will exit.
The Trojan also sets the following system property to 0, so that only one instance of the threat runs at a time:
r0.bot.run
The Trojan then drops the following file and then executes it:
/data/data/com.catsw.lockgallery/.e[RANDOM NUMBER]d
It then overwrites the following files with copies of itself:
- /system/bin/rm
- /system/bin/move
- /system/bin/mount
- /system/bin/ifconfig
- /system/bin/chown
- /system/bin/debuggerd
- /system/bin/vold
The Trojan modifies the following file in order to launch itself at startup:
/system/bin/svc
It also modifies the following file with configuration information:
/system/build.prop
It then copies itself to the following file, which attempts to prevent the Trojan from being removed from the device:
/system/lib/libd1.so
Remote Access
The Trojan connects to the following command-and-control servers, where it can receive additional commands:
- [http://]ad.pandanew.com:8511/sea[REMOVED]
- [http://]ad.phonego8.com:8511/sea[REMOVED]
- [http://]ad.my968.com:8511/sea[REMOVED]
Žádné komentáře:
Okomentovat